An Opportunity for You, our Readers! — Tomorrow is the Thanksgiving Holiday across the United States. It is traditionally a holiday in which families come together and give thanks for many things. We, at Scamadviser and The Daily Scam, want our readers to know that we are extremely grateful to you! We’re also grateful to the many people who send us the scams and malicious clickbait that target them so we can inform others. As our way of saying “thank you,” we want to invite you to give us your valuable feedback on how we’re doing.  Please enter your response into the Google Form question above. Thanks!

In previous newsletters we have repeatedly said that cybercriminals take advantage of holidays and other annual events to craft and send their malicious click bait. Here are two more recent examples. It was just Veteran’s Day in the U.S. and it is also the open enrollment period for Medicare 2022 as well. So, we weren’t surprised to see these last week.  The “Thank you Veterans” email came from a domain, overfont[.]com, that was registered anonymously in Iceland (using Namecheap) less than 5 months ago.

Similarly, this “Choose Your 2022 Medicare Plan” email came from a website located on a server in Turkey. The domain altairlink[.]com was also registered anonymously in Iceland at about the same time in June as the above email.  This is no coincidence, in our opinion.  We think the same criminal gang is responsible for both emails.

Readers may enjoy this interesting research recently published by Nordpass, a digital security company.  It reveals the top 200 most common passwords used by people around the world.  Is YOUR password on this list? Perhaps it is time to visit our TDS article and learn how to create a set of easily remembered passwords that are strong, unique and fun or our Scamadviser article reviewing 10 tips to creating strong passwords!

Comcast, Paypal, and Geek SquadComcast Cable TV owns the trademark service known as XFINITY. But this “X:FINITY” ain’t even close! It’s easy to see that the email came from a Gmail account called “perkffamm.” The link to “Activate Doubled Security” doesn’t point to Comcast or Xfinity but the phishing site you’ll see below wants you to think otherwise.  Deeeeleeeete!

When a reader sent us this PayPal phish, the links weren’t working but it is easy to see that it’s a phishing scam nonetheless.  The “service@paypal.com” in the FROM address is entered into the TEXT NAME FIELD!  The email really came from another Gmail account, as did the next phish below.  The email recipient DID NOT send a payment of $863.51 to Trycom Exchange!  That’s just a social engineering trick to get you to click!

While it is easy to spot the fraud in the FROM email address, we want readers to focus on the way these criminals have entered the phone number into this email. The reason for this is simple. They don’t want any email service or any anti-spam server to search and find the scammer’s phone number used in this phishing fraud.  So they present it in a format that doesn’t look like a phone number! Rest assured, again. You were not charged nearly $400 for Geek Support!

One Free Year of Netflix and Black Friday Deals on Sunglasses!Here’s a challenge for you… How many spelling, capitalization and grammatical errors can you spot in this short email that says you’ve been selected for a free year of Netflix?  They even misspell Netflix! We count five! The link points to a very familiar account and malicious file on the Googleapis service that we’ve seen used many times by a cybercriminal gang. The name of the malicious web page is “shipblouseeE.” We also couldn’t help but notice that this email appears to have been sent “via” the domain of a daily newspaper published in Bandung, West Java, Indonesia called “Piriran-Rakyat.”  In any case, this isn’t Netflix (or Netflex either!)

Here we go again! Black Friday deals on Oakley Sunglasses! But the grammatical error in the subject line AND THE FACT THAT NO LEGITIMATE BUSINESS OFFERS 90% OFF tells us this is either malicious or a knock-off.  The email came from the domain “sjnetcab[.]” which was registered in China a few months ago and might sell cheap knock-offs. But the links in the email point to a different domain, zseok[.]com, which was registered a week before this landed in our inbox. Hmmm….. Our bet is that this is malicious clickbait! Lunge for the delete key!

*An Investment Opportunity Not to Miss! – In case you hadn’t noticed, cryptocurrencies have been all over the news and getting a lot of attention. According to Statista.com, there are more than 7,500 cryptocurrencies as of November, 2021! (According to e-cryptonews.com, the figure isn’t easy to pin down but the number is likely between 6,800 and 8,000.) Unsurprisingly, we are also seeing an increase in the number of questionable/scam websites and emails inviting people to purchase and invest in cryptocurrencies.  

This is also true for our scam-baiting friend, Rob. He recently received the following unsolicited email from someone identified as “Harry Noah.” Mr. Noah claimed to represent a cryptocurrency investing business called Crypto Flow Ltd, which is registered in the UK on the official UK government website

On Thu, Nov 11, 2021 at 6:57 AM Harry Noah <lukeomeife@gmail.com> wrote:

Hello Sir,

We are an Investment firm targeted at creating seamless wealth through trading and investing in digital currency globally.

For more details reach me on my official email:

Let’s discuss business.

E-mail: harrynoah@pi.cryptoflowltd.co.uk

It was odd that the initial email from Mr. Noah came from a Gmail address called “lukeomeife” and NOT the official email address provided in his email. But Rob responded that he was interested and wanted to know more. Mr. Noah replied with this second email that also included an attached 10 page pdf file detailing an “investment presentation” from Harry Noah. Again, the reply was odd because the text field used the name “Harry Noah” but the email came from an address for “kevincrabs.”

From: Harry Noah <kevincrabs@pi.cryptoflowltd.co.uk>

Date: Sun, Nov 14, 2021 at 6:24 AM

Subject: Re: Investment opportunity

Hello Rob,
Thanks so much for your response. I have prepared a detailed presentation for better understanding. Kindly find the attached PDF. Go through it and revert back to me.

Sincerely,

Here are a few notable screenshots from Harry Noah’s pdf file. This first screenshot is from the top of page one. In it, Mr. Noah states that Rob can earn a lot of money by pulling in more than 100 other investors into this investment opportunity. We peaked underneath the hood of this pdf file and found it interesting that the “Content creator” of the file was written in Mandarin, not English. Google translated the Mandarin to “You are here.” This file was created on November 12, two days before it was sent to Rob. 

    Mr. Noah’s pdf also detailed how Rob’s money could expect to grow if he invested with Crypto Flow Limited.  The expected growth on an investment is nothing short of remarkable!  In fact, we think it is unbelievable!

      Mr. Noah’s pdf file, as well as the website, cryptoflowltd.co.uk/about, both show the Experts and Team at Crypto Flow Ltd.  They include CEO Founder, Mr. Benjamin Spedding, as well 3 other people, including Mr. Isaac Orlando, Head of IT but not shown in the pdf file.

      After reviewing the pdf, Rob told us that he replied again to Harry Noah, saying that this investment looked “too risky.” This time the email response appeared to come from “Kevin Crabtree” instead of “Harry Noah” but using the same email address as the previous email.

      From: Kevin Crabtree <kevincrabs@pi.cryptoflowltd.co.uk>

      Date: Sun, Nov 14, 2021 at 7:50 AM

      Subject: Re: Investment opportunity

      Thank you for your response. Do you actually mean the rates are too high? Well I am also an investor and I am pretty much comfortable with the rates and so far it has been paying well. I will never tell someone about what I don’t do myself. If you could give it a try you will definitely see for yourself.

      REGARDS,

      PRIME INVESTORS GROUP

      54 Bootham, York,

      North Yorkshire,

      United Kingdom, YO30 7XZ

      Toll Free: +44 159 480 8776

      www.cryptoflowltd.co.uk

      Rob exchanged a few more emails with Kevin Crabtree before pulling out.  However, one more notable email came when Rob asked Mr. Crabtree how long Crypto Flow Ltd had been in business.  Here is his response. Note the awkward English.  Also, the “lowest plan” that Mr. Crabtree advises Rob to purchase, costs $2,000-$4,999 and promises a weekly interest rate of 2.80-2.95% for each week of the 180 day contract!  At this astonishing growth rate, why wouldn’t this business just invest their own money?

      From: Kevin Crabtree <kevincrabs@pi.cryptoflowltd.co.uk>

      Date: Sun, Nov 14, 2021 at 3:25 PM

      Subject: Re: Investment opportunity

      Well, probably over 10 years but I can only rely on records. Their business was registered in 2017 so that is the best record I can point to. I will advice you give it a try by investing with the lowest plan for a start and watch as it goes before making any further decision.

      REGARDS,

      PRIME INVESTORS GROUP

      54 Bootham, York,

      North Yorkshire,

      United Kingdom, YO30 7XZ

      Toll Free: +44 159 480 8776

      www.cryptoflowltd.co.uk

      We have found MANY red flags and concerns about the business called Crypto Flow Ltd. and are working on a full feature article about this cryptocurrency investment company.  However, here are some of our concerns, in addition to the odd use of email addresses and awkward English mentioned above…  

      Most importantly, the domain used for Crypto Flow Ltd: cryptoflowltd.co.uk appears to be less than 2 months old! According to several WHOIS tools, this domain was first registered on October 5, 2021. Not a single WHOIS service can identify the owner of this domain, or the business it was registered to. And yet, the Crypto Flow Ltd website says they have been in business since 2017 and Mr. Crabtree says “probably over 10 years.”

      But what of that official record on the UK Government website for Crypto Flow Ltd AND it’s founders, such as Mr. Benjamin John Spedding? The UK Government website itself saysThe fact that the information has been placed on the public record should not be taken to indicate that Companies House has verified or validated it in any way.” In other words, this official website does NOT verify the authenticity or legitimacy of the businesses registered with it!

      Perhaps most interesting of all of the evidence that puts Crypto Flow Ltd into doubt is the fact that we could not find any of the Crypto Flow Ltd Team members ANYWHERE ELSE on the internet, including LinkedIn, EXCEPT on the Crypto Flow website and one other website.  According to TinEye.com, three of the 4 leaders of Crypto Flow Ltd were images recently created using artificial intelligence by the service called Generated.photos. This means the faces you see in these pictures DON’T EXIST IN REAL LIFE! They were  computer generated images!  Below is the TinEye screenshot of the search for the CEO, Benjamin Spedding. You can also view “Mr. Spedding” directly on Generated.Photos using this link.

      Given all of the above information, we think Rob was right to step away from this “investment.”  He told us that he responded to Kevin Crabtree by saying that his investment firm felt like a Ponzi scheme.  (Remember the Ponzi scheme created by Bernie Madoff?)  Rob isn’t alone in this assessment of Crypto Flow Ltd! Check out this review about them from BestBinaryOptionsWatch.com. It also says that their rate of return is unrealistic and feels like a pyramid scheme.  This investment firm is NOT to be trusted in our opinion! In response to Rob’s last email, Mr. Crabtree said Before you say something is a scam you need to have your proofs. This is a registered company in the UK.”  I believe we have our “proofs!”

      We want our readers to be aware that there are LOTS of scams online related to cryptocurrencies. Even the news about cryptocurrencies have sometimes been manipulated! Check out this recent article on CNN about fake information being released from Kroger’s supermarket about allowing the use of Bitcoins in their chain of supermarkets. Can you imagine the positive impact this may have had on Bitcoin trading that day! So the next time you see an email, such as this next one from Mr. Alexander Gilbert who claims to represent another questionable company called Entirety Trading Company, THINK TWICE!  For example, Mr. Gilbert’s email came from a free email service at “consultant.com” rather than the business he claims to represent.  But, we are also investigating Entirety Trading Company, from Sydney, Australia, which uses the domain entirecrypto.com

      We wish to note that Entirety Trading Company, from Sydney, Australia, can’t be found on the Australian Government Securities and Investment Commission website. (The most similarly named business, called ENTIRETY, was cancelled.)  Also, for a trading company created in 2008, it is remarkable that Google shows very little information about it when searching for its name and next to nothing when searching for information before 2019. (Remember, unlike United States Banks backed by the FDIC, these online investment firms are not backed or insured by any government we can find. There is no FDIC protecting consumers who invest in these questionable businesses. Check out our article on Scamadviser titled “Can Cryptocurrency Be Recovered From Scammers?”  When it comes to investing in cryptocurrencies, CAVEAT EMPTOR! 

      *Many thanks to Rob for bringing this story to our attention and contributing to the research detailed in our article. Read more about these sketchy cryptocurrency investment websites in our latest feature article!

      Facebook Login, Authenticate Here & Incoming Mail Delayed – “Did you log into Facebook from a new location” says this email that came from a server in the UK.  We were told that our account password was successfully changed! Oh no! The Facebook Security Team invited us to confirm or deny this change.  HITTING EITHER RESPONSE would have sent that response to the a real security address at Facebook, along with 31 other email addresses from around the world, including Russia and Germany.  Auf Wiedersehen!

      Rent to Own Home – We want readers to notice that texts that you agree to sign up for usually come from a texting service as a short code.  Texts that arrive from a phone number were sent by a person. Such as this text from 786-526-1070 that includes a VERY malicious link that is hard to read due to the chosen font.  “Rent1own2home3[.]link” was registered less than 2 weeks earlier in Iceland.  Sound familiar? Delete!

      Until next week, surf safely!

      Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
      have subscribed to it via Scamadviser.com or thedailyscam.com

      Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

      Contact Webmaster